The comments are a little depressing. Everyone is saying "Oh god uninstall Chrome" when they should be saying "Thank Google, they paid for this thing up front instead of people getting hacked."

Agreed. I did get a kick out of this one : "uninstall yourself out of the internet", which thus far has been the only guaranteed method of avoiding any sort of exploit.

Normally this is the sort of privilege escalation we'd see from IE, but I do wish operating systems, Windows in particular, had better sandboxing for applications. Browser sandboxing alone obviously isn't gonna cut it.

Title is a bit sensationalist and makes no mention of the two Win8/IE10 exploits found at the same event. Nor FF for that matter.

How is the title sensationalist? It describes exactly what happened.

I'm curious why they showed this at Pwn2Own and not Google's own Pwnium, especially if they are going to share the exploit with Goog. Is there more money to be made this way?

This year's Pwnium was focused on Chrome OS, while Google also sponsors Pwn2Own: http://blog.chromium.org/2013/01/show-off-your-security-skil...

I believe there's some conflict between Google and Pwn2Own.

http://en.wikipedia.org/wiki/Pwn2Own#Controversy_with_Google

I believe that the rules were changed this year to require full disclosure. Prize money was upped to commensurate.

Pwnium was ChromeOS only, while the sandbox escape portion of this attack was Windows-only (possibly 32bit Windows only as well?)